Wednesday, March 28, 2012

Is protecting businesses deposits the banks responsibility?

Originally published on 06/08/2011 on reports that a court magistrate has recommended that a motion for jury trial be denied in the case of Patco Construction Company, Inc v People's United Bank dba as Ocean Bank. This is another case that demonstrates the lower level of protection afforded business bank accounts than consumer accounts. If you never plan on opening a business that may not seem important to you, but if the company you're working for goes under because it's bank provided inadequate protection to business accounts it will be come very important

This case is similar in some ways to the case of Plains Capital v Hillary, which I followed pretty closely at the time. But there are differences. As far as I know no one ever figured out how the bad guys got the credentials from Hillary Machinery. The ZeuS trojan was allegedly the source of the compromise at Patco, and that is actually good evidence that the banks security was inadequate.

But the magistrate doesn't disagree that the security was inadequate. What he does disagree with is that it was the banks responsibility to have better security to protect it's customers data. He believes that the bank provided multi-factor authentication as recommended by the banking industry. Let's take a quick look at that. Multi-factor authentication is usually considered to require at least two out of three factors:

  • Something you know (like a password)
  • Something you have (like a cryptocard)
  • Something you are (like a fingerprint)

Krebs on Security reported on the recommended decision and noted that Patco tried to instruct the court on the state of multi-factor authentication today, but with little or no luck. They informed the court that trojans like ZeuS can negate the benefit of cryptocards, but apparently that was not good enough for the magistrate. Unless Patco appeals a decision based on his recommendation they will be out $300,000 that couldn't be recovered.

Consumers have a lot of legal protections when it comes to their money in the bank. Large businesses sheer size is their protection. But small and medium sized businesses have little or no legal protection. The Federal Financial Institutions Examination Council (FFEIC) was about to release updated guidelines last year, but didn't. It's criminal that there is no better guidance for banks on protecting ALL customers money, and something needs to be done. The someone doing it should not be the courts.